Cyber Resilience

CVE-2022-1271

High

Published: 31 August 2022

Published
31 August 2022
Modified
09 June 2025
KEV Added
Patch
07 April 2022
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0081 74.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1271 is a high-severity Incorrect Behavior Order: Early Validation (CWE-179) vulnerability in Gnu Gzip. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 25.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-1271 is an arbitrary file write vulnerability in the zgrep utility included with GNU gzip. The flaw stems from insufficient validation of filenames containing two or more newline characters, allowing an attacker-supplied filename to embed both the content to be written and the path of a target file; when zgrep processes such a crafted name, it writes the attacker-controlled data to an arbitrary location on the filesystem.

A remote attacker with low privileges can exploit the issue by supplying a maliciously named file to zgrep. Successful exploitation grants the ability to overwrite arbitrary files, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 8.8 score.

The EPSS score for this vulnerability rose from a low baseline to a peak of 0.0763 on 2025-01-22 before receding to the current value of 0.0081, indicating that exploitation interest increased well after the 2022 disclosure. Public references from Red Hat, Debian, and the GNU project track the issue and associated patches.

EU & UK References

Vulnerability details

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This…

more

flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gnu
gzip
≤ 1.12
redhat
jboss data grid
7.0.0
debian
debian linux
10.0
tukaani
xz
≤ 5.2.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References